Canva abused for phishing activities

October 16, 2020
canva abused hosted phishing activities

Pay attention to cybercriminals who love to publish phishing sites targeting financial and big-time industries. They are taking advantage of Canva to host their phishing website to lure unsuspecting victims into gaining banking credentials and personally identifiable information.

Recently, an Australian Graphic Design company Canva was reportedly abused by Cybercriminals. Canva was founded back in 2012. It is a design platform that allows creating different Graphic contents such as logos, presentations, flyers, business cards, infographics, and other visual contents.

In the year 2019, Canva reportedly had more than 15 Million active users in 190 Countries. Because of the enormous growth of users in this platform, there are no wonder Cybercriminals have thought of establishing an attack against this thriving Australian graphic design company.

A Private Security firm has divulged a Cyber-attack orchestrated by these Cybercriminals. Canva has a feature that consists of generating sharable URLs for other people to view the content. Cybercriminals were able to create a phishing URL hosted on Canva.

Below is a sample of a well-constructed Spam email that feigns to be a SharePoint eFax delivery notification. This email encompasses the phishing landing page that is hosted on


canva phishing abuse image 1

Once the unsuspecting victim clicks on the bait Canva URL, they will be dispatched to an intermediary HTML page hosted under


This page looks legitimately from a Fax you received and has the clickable link to view the document.


canva phishing abuse image 2



Once clicked, the victim will be brought to the final phishing page where the victims are asked to login onto their email address credentials to view the document.

The stolen credentials of these victims will be reaped on the Cybercriminal’s database. These cybercriminals may be used in hacking the accounts, social engineering, or even being sold on the Dark web.

As per the Private Security Sector, the Australian Tech Unicorn is probably aware of this problem; however, it seems that resolution has been slow-moving. Many of these malicious files have remained on Canva’s platform for days.

Other sites such as Google have suffered from these kinds of attacks previously. That’s why they face these kinds of concerns at high speed, which is perhaps the explanation why Canva is at the moment the eye candy for these Threat Actors.

It can be recalled that back in May 2019, Canva suffered another Cyber-attack that had the data of 139 Million users taken by the Threat actors.

Canva is coined as a Tech Unicorn as it is now valued at $3.2 Billion (2019).

About the author

Leave a Reply